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Abstract 
This memo defines algorithm names and parameters for use in some of 
the SHA-2 family of secure hash algorithms for data integrity 
verification in the Secure Shell (SSH) protocol. It also updates RFC 
4253 by specifying a new RECOMMENDED data integrity algorithm. 
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1. 


Overview and Rationale 


The Secure Shell (SSH) [RFC4251] is a very common protocol for secure 
remote login on the Internet. Currently, SSH defines data integrity 
verification using SHA-1 and MD5 algorithms [RFC4253]. Due to recent 
security concerns with these two algorithms ([RFC6194] and [RFC6151], 
respectively), implementors and users request support for data 
integrity verification using some of the SHA-2 family of secure hash 
algorithms. 


1. Requirements Terminology 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 


"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


Data Integrity Algorithms 


This memo adopts the style and conventions of [RFC4253] in specifying 
how the use of new data integrity algorithms are indicated in SSH. 


The following new data integrity algorithms are defined: 


hmac-sha2-256 RECOMMENDED HMAC-SHA2-256 
(digest length = 32 bytes, 
key length = 32 bytes) 
hmac-sha2-512 OPTIONAL HMAC-SHA2-512 
(digest length = 64 bytes, 
key length = 64 bytes) 
Figure 1 


The Hashed Message Authentication Code (HMAC) mechanism was 
originally defined in [RFC2104] and has been updated in [RFC6151]. 


The SHA-2 family of secure hash algorithms is defined in 
[FIPS-180-3]. 


Sample code for the SHA-based HMAC algorithms are available in 
[RFC6234]. The variants, HMAC-SHA2-224 and HMAC-SHA2-384 algorithms, 
were considered but not added to this list as they have the same 
computational requirements of HMAC-SHA2-256 and HMAC-SHA2-512, 
respectively, and do not seem to be much used in practice. 
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Test vectors for use of HMAC with SHA-2 are provided in [RFC4231]. 
Users, implementors, and administrators may choose to put these new 
MACs into the proposal ahead of the REQUIRED hmac-shal algorithm 
defined in [RFC4253] so that they are negotiated first. 


IANA Considerations 


This document augments the MAC Algorithm Names in [RFC4253] and 
[RFC4250]. 


IANA has updated the "Secure Shell (SSH) Protocol Parameters" 
registry with the following entries: 


MAC Algorithm Name Reference Note 

hmac-sha2-256 RFC 6668 Section 2 

hmac-sha2-512 RFC 6668 Section 2 
Figure 2 


Security Considerations 


The security considerations of RFC 4253 [RFC4253] apply to this 
document. 


The National Institute of Standards and Technology (NIST) 
publications: NIST Special Publication (SP) 800-107 [800-107] and 
NIST SP 800-131A [800-131A] suggest that HMAC-SHA1l and HMAC-SHA2-256 
have a security strength of 128 bits and 256 bits, respectively, 
which are considered acceptable key lengths. 


Many users seem to be interested in the perceived safety of using the 
SHA2-based algorithms for hashing. 
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